# Apache Cordova for Android Cross-App Scripting

High

## Product

Apache Cordova for Android

3.5.0 and below

## Technical Details

Attackers can influence the URL of Cordova’s WebView in two different way:

public void CordovaWebView.loadUrl(String url) {
} else {
String initUrl = this.getProperty("url", null);
// If first page of app, then set URL to load to be the one passed in
if (initUrl == null) {
}
// Otherwise use the URL specified in the activity's extras bundle
else {
}
}
}


First, CordovaWebView.loadUrl(String url) and CordovaWebView.loadUrl(String url, int time) consume the Intent’s ‘url’ extra parameter instead of the ‘url’ argument. The first method does that only if the argument’s URI scheme is not JavaScript and the URI is not ‘about:blank’. Therefore, if the ‘url’ extra parameter can be influenced by the attacker (which is often the case), the WebView’s URL can be controlled. The second issue relates to the ‘errorurl’ Intent extra parameter and is very similar despite the fact that it is used only if there is an error when loading the original URL (such as connectivity issues). More about the second issue can be found the paper.